Conficker…Am I missing something?

January 20, 2009

OK so it seems to spreading itself fairly rapidly…but I remember when a PAYLOAD actually was something to be concerned about. What the fuck is it that this Conficker does? Ooh, it blocks access to a handful of `security` websites, stops auto backups running and disables system restore (erm, which most sensible people disable voluntarily because it’s just a vuln in itself which is exploited by other malicious code), and, erm, I think that’s about it. Wow.

Worry more about the backdoors, rootkits and viruses which are NOT being talked about so much, which have very few if any clues as to their presence… www.rootkit.com

Anyway, if you ARE concerned about Conficker, here’s the overview/details from NAI.

Overview –

This detection is for a worm that exploits the MS08-067 vulnerability as the main vehicle of infection. It also uses other common technique for spreading as underlined in the Method of infeciton section. It also download and execute various files onto the affected system.

Aliases

Worm:Win32/Conficker.A (Microsoft)

Crypt.AVL (AVG)

Mal/Conficker-A (Sophos)

Trojan.Win32.Pakes.lxf (F-Secure)

Trojan.Win32.Pakes.lxf (Kaspersky)

W32.Downadup (Symantec)

Worm:Win32/Conficker.B (Microsoft)

WORM_DOWNAD.A (Trend Micro)

Characteristics

Characteristics –

When executed, the worm copies itself using a random name to the %Sysdir% folder.

(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)

New variants have been observed dropping copies of themselfs aslo into:

%Program Files%\Internet Explorer\[Random].dll

%Program Files%\Movie Maker\[Random].dll

%All Users Application Data%\[Random].dll

%Temp%\[Random].dll

%System%\[Random].tmp

%Temp%\[Random].tmp

Where [random] is a 4 to 8 long letters only random name.

On NTFS filesystems the dropped files do have often modified access permissions. Access is completely removed on the file for all users and groups. This is done to make detection and cleaning more difficult.

It modifies the following registry key to create a randomly-named service on the affected syetem:

Several variants do remove access to the above registry key by changing the key ACLs. This also in an attempt to make detection and removal of the serive key more difficult. The service name is generated dinamically by associating words from an hardcoded list:

Boot

Center

Config

Driver

Helper

Image

Installer

Manager

Microsoft

Monitor

Network

Security

Server

Shell

Support

System

Task

Time

Universal

Update

Windows

It will inject intelf into various running processes. Different variant have been observer injecting into one or more of:

svchost.exe

explorer.exe

services.exe

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.

hxxp://www.getmyip.org

hxxp://getmyip.co.uk

hxxp://checkip.dyndns.org

hxxp://whatsmyipaddress.com

Attempts to download a malware file from the remote website

hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe

New variants are connecting to various other hosts.

Starts a HTTP server on a random port on the infected machine to host a copy of the worm.

Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm. The http connection is performed on a random port and the file transferred will have an extension of

bmp

gif

jpeg

png

Later variants of w32/Conficker.worm do attempt to connect to remote hosts using the local credentials and a list of username retrieved from the target system and a long list of hardcoded passwords. In doing so it may lock down domain accounts where the policy is set to allow only a limited number of wrong passwords.

On succesfully exploited remote systems the worm drops a copy of itself in the $sysdir% folder and creates a scheduled tasks to execute it. It may olso create a copy in the remote “Recycle Bin” folder and an Autorun.inf file.

Using these techniques the worm may replicate on to non vulnerable systems or reinfect previously infected systems after they have been cleaned.

The worm hooks system APIs to prevent access to security websites. A list of some of the locked domains is:

ahnlab

arcabit

avas

avg

avira

avp

bit9

ca

castlecops

centralcommand

cert

clamav

comodo

computerassociates

cpsecure

drweb

emsisoft

esafe

eset

etrust

ewido

fortinet

f-prot

f-secure

gdata

grisoft

hacksoft

hauri

ikarus

jotti

k7computing

kaspersky

mcafee

microsoft

nai

networkassociates

nod32

norman

norton

panda

pctools

prevx

quickheal

rising

sans

securecomputing

sophos

spamhaus

sunbelt

symantec

threatexpert

trendmicro

vet

wilderssecurity

windowsupdate

Some security services may also be disabled by the infection.

Symptoms

Symptoms –

network portscan on port 445 as per the MS08-067 exploit.

Access to the above mentioned domain.

Domain accounts being locked due to maximum login attempts.

presence of the above mentioned files and registry keys in specific files and registry keys with empty permissions.

Scheduled tasks being created.

autorun.inf files being created.

Access to security related web sites is blocked.

Method of Infection

Method of Infection –

This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate. Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.

It also spread by brute forcing remote systems password and installing scheduled tasks and/or autorun.inf files on the victim.

Removal –

Removal –

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.